Mapping engine does not handle regex properly

Currently, if there is more than one assertion value (the list of group ids returned from the idp). Then when using regex to compare again the mapping values, only the first values are used. Change-Id: Iba7d455ef0d5fc2d4ac16f4a7eb553845270fb2c Closes-Bug: #1321536
2014-05-20 22:58:29 -04:00 · 2014-05-20 22:58:29 -04:00 · 713ddcf0b3
parent 455d50e8ae
commit 713ddcf0b3
3 changed files with 65 additions and 3 deletions
--- a/keystone/contrib/federation/utils.py
+++ b/keystone/contrib/federation/utils.py
@ -403,7 +403,11 @@ class RuleProcessor(object):
            return False

        if regex:
-            return re.search(values[0], assertion_values[0])
+            for value in values:
+                for assertion_value in assertion_values:
+                    if re.search(value, assertion_value):
+                        return True
+            return False

        any_match = bool(set(values).intersection(set(assertion_values)))
        if any_match and eval_type == self._EvalType.ANY_ONE_OF:
--- a/keystone/tests/mapping_fixtures.py
+++ b/keystone/tests/mapping_fixtures.py
@ -193,7 +193,6 @@ MAPPING_LARGE = {
    ]
 }

-
 MAPPING_BAD_REQ = {
    "rules": [
        {
@ -417,6 +416,43 @@ MAPPING_EXTRA_RULES_PROPS = {
    ]
 }

+MAPPING_TESTER_REGEX = {
+    "rules": [
+        {
+            "local": [
+                {
+                    "user": {
+                        "name": "{0}",
+                    }
+                }
+            ],
+            "remote": [
+                {
+                    "type": "UserName"
+                }
+            ]
+        },
+        {
+            "local": [
+                {
+                    "group": {
+                        "id": TESTER_GROUP_ID
+                    }
+                }
+            ],
+            "remote": [
+                {
+                    "type": "orgPersonType",
+                    "any_one_of": [
+                        ".*Tester*"
+                    ],
+                    "regex": True
+                }
+            ]
+        }
+    ]
+}
+
 EMPLOYEE_ASSERTION = {
    'Email': 'tim@example.com',
    'UserName': 'tbo',
@ -462,7 +498,7 @@ TESTER_ASSERTION = {
    'UserName': 'testacct',
    'FirstName': 'Test',
    'LastName': 'Account',
-    'orgPersonType': 'Tester;'
+    'orgPersonType': 'MadeupGroup;Tester;GroupX'
 }

 BAD_TESTER_ASSERTION = {
--- a/keystone/tests/test_v3_federation.py
+++ b/keystone/tests/test_v3_federation.py
@ -609,6 +609,28 @@ class MappingRuleEngineTests(FederationTests):
        self.assertRaises(exception.Unauthorized,
                          rp.process, assertion)

+    def test_rule_engine_regex_many_groups(self):
+        """Should return group CONTRACTOR_GROUP_ID.
+
+        The TESTER_ASSERTION should successfully have a match in
+        MAPPING_TESTER_REGEX. This will test the case where many groups
+        are in the assertion, and a regex value is used to try and find
+        a match.
+
+        """
+
+        mapping = mapping_fixtures.MAPPING_TESTER_REGEX
+        assertion = mapping_fixtures.TESTER_ASSERTION
+        rp = mapping_utils.RuleProcessor(mapping['rules'])
+        values = rp.process(assertion)
+
+        user_name = assertion.get('UserName')
+        group_ids = values.get('group_ids')
+        name = values.get('name')
+
+        self.assertEqual(user_name, name)
+        self.assertIn(mapping_fixtures.TESTER_GROUP_ID, group_ids)
+
    def test_rule_engine_any_one_of_many_rules(self):
        """Should return group CONTRACTOR_GROUP_ID.